The Business Information Security Officer (BISO) role is perfect for security professionals who want to build bridges between security and the business. However, there’s significant ambiguity around how a BISO should get started and how they can best serve their organization.
In this post I give my perspective on what makes BISOs universally valuable and provide a strategy for growing from newbie BISO to Trusted Advisor.
first, what the heck is a biso?
The Business Information Security Officer (BISO) role is growing in importance, prominence and prevalence. Today there are 340 open BISO roles in the US at Fortune 500 companies like KPMG, Bank of America and Viacom.
If you Google “what is a BISO” you’ll get several top results. I formed my understanding of the BISO role around Alyssa Miller’s post “What is a Business Information Security Officer (BISO)” and augmented it later with this great interview with Allan Alford. Both give outstanding definitions and have experience as BISOs at large firms. If you still wonder what a BISO is please read and listen to them before continuing with this post. My perspective on this role is built on the foundations they have provided.
what biso’s have in common
I have worked with BISOs extensively as a leader of Cloud Security Engineering and Architecture and as a Big 4 consultant and now I’m a BISO myself. I’ve learned that there is no ”right way” to be a BISO – your day to day experience, role and goals will depend on the context of your organization, the relationship between your business and security and on the needs of your leaders.
Nonetheless I believe there is a set of skills that great BISOs have in common and that make them valuable to their organization no matter their daily responsibilities.
Successful BISOs are great storytellers. They deeply understand their environment and create a compelling, clear, data-driven narrative that describes the interrelationships between the security posture of the business they support and the organization’s overall market strategy and security goals.
They use this narrative to bring key stakeholders to their side and to convince the organization to expend its valuable capital to make difficult, sometimes painful, change.
Practiced security Strategists
Successful BISOs have a track record of driving security strategy. The great news about the role is that there is no single track to it. Amazing BISOs come from every corner of cyber – Incident Response, Third Party Risk Management, SOC – but they have in common that they’ve taken their security organizations from Point A to a much better Point B and learned a lot from the pains and joys of the experience. They bring this knowledge and empathy to the BISO role and help drive the broader organization’s strategy.
Big picture, long-term thinkers
Successful BISOs focus on the big picture and understand how their business lines compete in the market, how they generate revenue, and what their most important product areas are. They use this knowledge to understand 1/where the ”crown jewels” of risk are and 2/where changes to security posture can have the most outsized impact – positive or negative – on their business line.
They find opportunities to both reduce risk and improve the business’ ability to deliver quickly, and they make plans today that will positively impact their organization’s ability to deliver and innovate in the coming years – not just weeks and months.
from new biso to trusted advisor
first, second and third: establish strong relationships
The successful BISO builds a bridge between Security and the Business. That bridge is build with the bricks of strong relationships across your organization. Without them you have no perspective around which to tell a story, build a strategy or develop a big picture!
BISOs are typically senior leaders in an organization and as a result may be tempted to start relationship building with other senior leaders and work their way down. I recommend starting from the Builders in your business line and security organization and gradually working your way up. This will give you exposure to the issues experienced by the people your security strategy will most acutely affect, which will then inform your immediate strategy for solving lingering problems. By the time you meet with senior leadership you will have both valuable perspective to share with them and a plan for earning quick wins.
then, put wins on the board
BISOs may not deliver tangible products like software or architectural diagrams, but they DO deliver measurable outcomes. The new BISO should focus on outcomes that either quickly identify, explain or reduce risk or improve the business line’s ability to deliver value.
Fortunately (depending on your point of view) cybersecurity and businesses are complex and the new BISO is likely to enter an environment full of opportunities for small-to-medium sized wins. I recommend playing to your strengths! I have a cloud background, so my first wins as BISO included a full Well-Architected of our Cloud environments, a clarification and simplification of a complex approval process, and unblocking a set of developers and enabling them to produce value again. A BISO who can provide the same perspective as an expensive outside consultant but for free will set themselves up for success.
These wins give you credibility, show stakeholders you are in the role to make a difference, and help to make friends across the organization. The successful BISO will need all of this before starting the next part of the growth process.
capture a clear pov for your security program
A successful BISO will capture and document a clear point of view regarding the current state of their business’ security program and of the status of the relationship between their business and their Security Organization. The BISO who doesn’t have this point of view will find themselves wandering aimlessly from problem to problem, incapable of defining or executing a strategic plan.
I recommend capturing this point of view in a written document. Powerpoint is fine if you insist, but I prefer a narrative because it’s tougher to hide uncomfortable truths behind pretty pictures. Consider framing the document around your Security organization’s structure: if you have a Security Architecture group, an Application Security group and an API Security group, each should have their own section in your document.
The key to capturing a valuable POV is – did you guess? – relationships. You will need insights and data from each of the teams in your organization to frame your Point of View. Start each section of your document with facts and data – coverage metrics, scan results, number of reviews done can all be useful in defining and supporting your point of view. Finish each section with the perspectives of each team in your organization (I call this section the ”Voice of” each group).
Summarize all of this at the beginning of your document, along with your perspective on the overall state of security for your business line. Remember – the state of security is about more than just security posture! The state of security is a combination of security posture and business satisfaction. How you weight those two components in your final assessment is up to you, but you must include both of them or you won’t be able to take on the next part of the growth process.
advocate for both security and the business
After the BISO has built relationships, earned some credibility and has a clear point of view of the state of their business’ security program, it’s time to use the bridges built to advocate for the business, to security and for security, to the business. The BISO must do both, or they risk falling into a common trap:
You can advocate for security to the business by telling clear, impactful stories about the risk you’ve identified in your POV document and by working with your business line to reduce that risk where possible.
You can advocate for the business to security by telling clear, impactful stories about how security impacts their ability to deliver: perhaps there are too many drawn out review processes, or perhaps a security technology is particularly painful to implement.
The goal of your advocacy is to drive positive, measurable change in both your business line’s security posture and their ability to deliver quickly and securely. Which brings us to our final step in the path:
improve. measure. iterate. repeat.
You’ve established a Point of View and are working with your business and security stakeholders to make improvements. Measure those improvements, update your Point of View on a regular basis (perhaps quarterly!) and repeat the process.